Attention

Please be advised we will perform system maintenance Sunday, December 15, 2024 from 6:00 a.m. to 11:00 a.m. ET. Access to Online and Mobile Banking may be intermittently unavailable during this time. We apologize for any inconvenience.

August 12, 2024 · Credit, Investment, Savings, Security

Don’t Be Quished—Be Careful of QR Code Scams

What is quishing? Well, it doesn’t involve squishing anything or doing something quickly. It does involve an image and avoiding something illegal that can fool and scam innocent victims.

Okay, so exactly what is quishing and why is it bad for me?

Quishing is another version of phishing. Phishing is when scammers use fake emails, social media posts, or text messages to lure their intended victims to click on a bad link to go to a bogus website, download a malicious file attachment to their computer or mobile phone, or call a number to connect to a crook. If you click on a phishing link or file, input information into a fake website, or talk to someone you shouldn’t, you may get defrauded and give up control of your device, personal information, identity, financial and social media accounts and money to cybercriminals.

Quishing is phishing that uses “Quick Response Codes” (QR or QRC); it’s a type of consumer cyberattack method where a false QR code leads to a fake website for illegally capturing what should be private and protected information, which could include (but not be limited to) passwords and other account log-in details, Social Security numbers or other sensitive, personal information. Additionally, the site linked to the QR code could trigger a download to install malware (a term created from the phrase malicious software)—such as a computer virus—to infect and take control of a computer or a phone.

If now you’re wondering what a QR code is, well, it’s a black and white rectangular image that can be viewed by a camera (such as on a mobile phone) that uses the image to connect to something on the internet, such as a website, document, software or…malware. According the online encyclopedia Wikipedia, a QR code “consists of black squares arranged in a square grid on a white background…which can be read by an imaging device such as a camera, and processed…until the image can be appropriately interpreted.” A QR code can be read and interpreted by a mobile phone’s camera, which after reading the QR code would then automatically use other software on the phone (such as a web browser) to lead from the QR code to something as simple as an online image of a restaurant menu, or it can connect to detailed websites, including websites for legitimate payments and false websites to hijack financial accounts and steal money.

Where you could encounter quishing

After they were introduced, QR codes were adopted by many industries and companies since they were easy to generate, use and took up much less space than pictures, text or videos. They can be seen in restaurants replacing printed menus, on commercial vehicles, in digital and print advertisements, on marketing mail, and on many, many consumer products, including food, toys, and electronics. The QR codes often link to more information about a company, a product (including instruction manuals and how-to videos), and even to employment opportunities. Most of these codes are authentic and from reputable companies, but there are situations where QR codes are more likely to be generated by fraudsters that have carefully planned how to steal personal information and money.

Bogus QR codes from crooks could be encountered in different situations, both at home, at work, and out in public, including some of these:

  • Within phishing emails or text messages with a sense of urgency because of a false claim that a social media or financial account is being threatened, or a large financial prize has been won, and the account or prize must be authenticated by using the fraudulent QR code in the message.
  • In emails or online advertising for special discounts and deals on subscription services or products that are too good to be true and the code must be scanned to receive the deal.
  • Unattended parking meters and parking spaces scams, where a fake sticker has covered up a legitimate code for payment on the machine or the sticker has been attached to other highly visible places around the parking lot or deck.
  • Gas pumps are another location where illegal stickers could be used to cover up authentic payment codes.
  • QR package scams, where an email or text message is received announcing that a package is arriving from a well-known retailer or shipping company, or it has been lost, or couldn’t be delivered and the code must be used to track and get the package.
  • Scams for charities, again using an email (which may highlight current victims of natural disasters or armed conflicts) with an embedded QR code for donating money to a legitimate looking—but very fake—charity organization.
  • Online advertisement, signs or stickers on the outside of convenience stores or other buildings promoting cryptocurrency (crypto) exchanges, conversions to dollars, or related crypto payment methods.

Clues to help spot and avoid getting quished

Here are some detailed tips on how to detect what may be a quishing lure and how to escape being hooked:

  • The easiest advice to consider following is to always avoid scanning QR codes unless there is no other way to get needed information from a reputable source you know and believe you can trust. But stay away from sketchy QR providers you don’t know and have no reason to trust unless you can first verify the company, organization, or person.
  • Does the email, advertisement, coupon, sticker or sign contain an offer that’s too good to be true, that you may want to believe but seems very unrealistic?  Does it promise something that’s unlikely to happen and seems wonderful but is just much too favorable a deal?
  • Does it come from a company that you don’t have an account with and rarely—if ever—have any business dealings with, such as a store that you never shop at?
  • Does it include language that’s urgent, alarming, or threatening to try to create a sense of panic, such as accusing you of doing something illegal or that your financial, social media, or other types of accounts are at immediate risk?
  • Does it have poorly crafted writing and a QR image, with misspellings, poor grammar, strange sentence structure, and an indistinct, poor quality image?
  • Is the greeting in an email or text ambiguous or very generic?
  • Does a message include a request for (or insist it needs) personal and account information?
  • Is it a strange or abrupt business request, such as a job offer from a company where you’ve never applied for a position?
  • If you already scanned a QR code and then are connected to online content that is not related to the topic or sender of the email, text or other source of the code, close that page immediately.
  • Also, after linking from the QR code, beware of getting sent to an unfamiliar and odd website name that doesn’t seem to represent the sender or business offering the code. As recommended in the point above if the URL—the website address—is unknown and looks suspicious, then close that webpage and your browser quickly.
  • Does the sender’s email address match the company it’s coming from? Look for small misspellings like pavpal.com, anazon.com, uups.com, i.r.s.net, or feddexx.com that lead to fake websites. Hover your cursor over a link in the message to reveal the entire email address and whether it appears normal and authentic. It also is worth some research to look up the actual website address of the company to see if it matches the email link(s). If you hover over a link and it reveals a personal email address (usually one that doesn’t include the name of the sending company) but the email supposedly comes from that company, then the message is a fake—reputable major companies do not allow personal email addresses to be used for corporate communications.
  • Does the email supposedly come from a United States government agency? It is often mandated by law that the U.S. federal government must conduct the majority of its official business with American citizens through the U.S. mail service using hard-copy documents and not through emails, texts or calls.
  • Delta Community usually does not use QR codes in its member emails, but occasionally uses them in some printed materials. An email to members from the Credit Union would generally not have a QR code, but some of its printed materials such as posters, flyers, and some letters may at times include a QR code.

Contact us right now if you think you’ve been scammed or your account(s) have been hacked or tampered with in any way

  • If you think your any of Delta Community accounts have been compromised or may be at risk, immediately contact our Member Care Center via our toll-free number at 800-544-3328 with whatever details you have, including dates, amounts of money, email messages, email addresses, text messages, phone numbers and names.
  • Please remember that Delta Community will never call, text or email you to ask for your checking, savings or investment account, ATM, debit or credit card numbers or passwords, your telephone access (IVR) PIN or one-time passcode.
  • The Credit Union will also never ask members to send money electronically as a test or share one-time passcodes received via email or text.
  • If someone purporting to be from Delta Community calls and asks for any of this type of information, hang up quickly and call the Credit Union Member Care Center at the number above.

How about more info that might prevent being phished, quished, smished, spoofed or vished? Delta Community’s blog and Financial Education Center have more tips for online security

More information on protecting your identity, your network and your personal computing and communications devices is available from free, monthly Delta Community Financial Education Center webinars on many different money and security-related topics. Please visit the Financial Education Center's Events & Seminars page to register for its no-cost, on-demand webinars.

Delta Community’s blog and security posts have more detailed recommendations on handling online personal security: